Zombinder on the Dark Web allows hackers to add malware to legitimate apps
ThreatFabric’s security researchers have reported a new dark web platform where cybercriminals can easily add malware to legitimate Android applications.
This platform, called Zombinder, was discovered while investigating a campaign in which fraudsters distributed several types Windows and Android malwareincluding Android banking software like Ermac, Lapla’s “clipper,” Erbium and Aurora thief, etc.
This comes just days after a new dark web marketplace called In the box emerged online, serving smartphone malware developers and operators.
Further investigation helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an API binding service launched in March 2022.
According to ThreatFabric’s blog posts, many different threat actors use this service and advertise it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost all legitimate apps.
The campaign is designed to appear as it helps users access internet hotspots by impersonating the WiFi authorization portal. In reality, it pushes several different strains of malware.
What does Zombinder do?
In the campaign discovered by ThreatFabric’s researchers, the service distributes Xenomorph bank malware disguised as the VidMate app. It is distributed via modified apps that are advertised/downloaded from a malicious website that mimics the program’s original website. The victim is lured to visit this site via malicious advertisements.
The Zombinder-infected app works exactly as advertised while the malicious activity continues in the background and the victim remains unaware of the malware infection.
Currently, Zombinder focuses exclusively on Android apps, but its service providers offer binding services for Windows apps. Those who downloaded the infected Windows app was delivered the Erbium thief as well. It is a notorious Windows malware distributed to steal stored passwords, cookies, credit card details and cryptocurrency wallet data.
It is worth noting that two download buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks the Download for Windows button, they are delivered malware designed for Microsoft’s operating system, including Aurora, Erbium, and Lapla’s clipper. Conversely, the Download for Android button distributes Ermac malware.
How to stay protected?
To be safe, don’t sideload apps even if you’re desperate to get a specific product to work. Also, avoid installing apps from unauthentic or unknown sources on your Android mobile phone and trust legitimate sources like Google Play Store, Amazon Appstore or Samsung Galaxy Store. Always check the app’s rating and reviews, and check out the app developer’s website before installing a new app.
- Psst! the tool allows users to share passwords using a link
- Chinese hackers hiding malware in the Windows logo
- Trojan Source attacks allow hackers to exploit the source code
- Android apps on Play Store infected with Windows malware
- The spyware vendor exploited Chrome, Firefox and Windows 0 days